[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

From: Andrew van der Stock <vanderaj@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Date: Thu, 16 Mar 2006 02:47:06 +1100

--Apple-Mail-2-921669232
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

I have back in January, but it has been a long time between drinks. I  
found no buffer overflows in the reviews I conducted in 2005, and  
only IIRC one in 2004. I did maybe 20-30 app reviews a year prior to  
2005, and in 2005 I started doing massive reviews of major systems,  
looking at very large code bases.

What surprised me was how incredibly resistant the developer from my  
January review was about fixing them, even though they are completely  
preventable. Only when we showed how trivial it was to exploit them  
did they fix only the demo overflows we crafted. This is yet another  
reason why I think languages like C++ and C have had their day,  
particularly in relation to enterprise class apps.

Compared to say validation, authorization and injection issues,  
buffer overflows are completely over-hyped. When I finish Guide 2.1,  
my next target is to revitalize the Top 10, and buffer overflows are  
out.

thanks,
Andrew

On 16/03/2006, at 1:23 AM, Ory Segal wrote:

> Hi,
>
> Another interesting thing to note, which I totally agree with is:
>
> Quote: "While technically possible, the truth is that they are just  
> not seen in the real world. Our experience at WhiteHat Security,  
> having assessed hundreds of Web sites and identified thousands of  
> vulnerabilities, shows that statistically, buffer overflows appear  
> near the bottom of the list of total discovered issues."
>
> I've been around for quite a while, and I can't remember the last  
> time I have seen a Buffer Overflow in a custom-built web  
> application. Anyone else?
>
> -Ory
>

--Apple-Mail-2-921669232
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF7TCCAqYw
ggIPoAMCAQICEHDpbeyPC2HmVmzK8H4pbTYwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDEyMTEyNTgzMFoXDTA3MDEyMTEyNTgz
MFowbDEWMBQGA1UEBBMNdmFuIGRlciBTdG9jazEPMA0GA1UEKhMGQW5kcmV3MR0wGwYDVQQDExRB
bmRyZXcgdmFuIGRlciBTdG9jazEiMCAGCSqGSIb3DQEJARYTdmFuZGVyYWpAZ3JlZWJvLm5ldDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1BjiSYD8iJZtifLladCqzbUh8tWD0iOHVLtjEG/9
ZRZvKE7htblQLGPTGvip4jqqtTRnaH/pPD4offdhKMYk0KNU7c3zRXXTbeHHeT+41uAcSkrwQtep
tTtZyr1C9jv0g+qCT0yZKjnTB6Q7bJ9mXXQwzC+2Ow5+w5TcbMyh5WkCAwEAAaNTMFEwDgYDVR0P
AQH/BAQDAgP4MBEGCWCGSAGG+EIBAQQEAwIFIDAeBgNVHREEFzAVgRN2YW5kZXJhakBncmVlYm8u
bmV0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAhN6eYx2tYnW/LrbI+fS5oKlm69M9
cCTxl2gTZnaYc2G737mU7X7UTuDx8ALB2AkYjk/C3nbKJ/FbPbVEocZZahgWJcBzwL6lrtw4GwZ4
on/t+SFjDzsZN6ZqNr27GX/MrtxjCeBiNsi78yytkNIMXnwgqexN+0NMaDRfgUYJqnEwggM/MIIC
qKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo
YXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSm
PFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnw
K4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDig
NqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0G
CSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u
9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICjzCCAosCAQEwdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHDpbeyPC2HmVmzK8H4pbTYwCQYFKw4DAhoF
AKCCAW8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwMzE1MTU0
NzA2WjAjBgkqhkiG9w0BCQQxFgQUYKW6/HnVFV1FZH0w4gfKix04msgwgYUGCSsGAQQBgjcQBDF4
MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBw6W3sjwth5lZs
yvB+KW02MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBw6W3sjwth5lZsyvB+KW02MA0GCSqGSIb3DQEBAQUABIGAmfui/067r3WK
cBO6kcvigDW/ZJ9ZEi5qBsP2BylWzx3BqUKB0fWAfzRfXsht+tX9KvxMdtdeCvasFd5rC26tLioO
R869Eo03Vpvg+59Cd45xc1gxLiEuwkvCsHG74mfj+NegnNHuUqTX0hEI69ZOOIAmpmjKc4VHYMfW
9NnetfcAAAAAAAA=

--Apple-Mail-2-921669232--

Follow-Ups:
- Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
  - From: Dinis Cruz

References:
- RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
  - From: Ory Segal

Prev by Date: RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Next by Date: RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Previous by thread: RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Next by thread: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org